On Tue, 2010-08-31 at 20:39 +0200, Dominick Grift wrote:
> On 08/31/2010 08:33 PM, Arthur Dent wrote:
> > On Sat, 2010-08-14 at 10:45 +0200, Dominick Grift wrote:
> >> On 08/14/2010 10:06 AM, Arthur Dent wrote:
> >>
> >>> And this is what audit2allow makes of them...
> >>>
> >>> require {
> >>> type mlogc_t;
> >>> }
> >>>
> >>> #============= mlogc_t ==============
> >>> files_delete_root_dir_entry(mlogc_t)
> >>> files_delete_tmp_dir_entry(mlogc_t)
> >>> miscfiles_manage_cert_files(mlogc_t)
> >>>
> >>>
> >>> Should I add these to the above policy, or is there some other way?
> >>>
> >>> Thanks in advance for any help or suggestions...
> >>>
> >>> Mark
> >>>
> >>
> >> There are some issues:
> >>
> >> 1. I would go here:
> >> https://lists.sourceforge.net/lists/listinfo/mod-security-users and ask
> >> if it is normal that mlogc writes to certificate databases. Its trying
> >> to write to files like: cert9.db, key4.db.
> >
> > OK - Sorry it's taken a while to get back to this - but I had the
> > discussion over on the mod-sec list, had to set up a strace and send the
> > strace log.
> >
> > This is what Brian Rectanus had to say having analysed the strace log:
> >
> > ====================8<=================================================
> >
> > Looking at the strace logs, it first tries to open those files
> > read/write, but cannot, so it resorts to read only access. I do not
> > see any calls to write to those files, though:
> >
> > 14612 open("/etc/pki/nssdb/key4.db", O_RDWR|O_CREAT|O_LARGEFILE, 0644)
> > = -1 EACCES (Permission denied)
> > 14612 open("/etc/pki/nssdb/key4.db", O_RDONLY|O_LARGEFILE) = 11
> >
> > 14612 open("/etc/pki/nssdb/cert9.db", O_RDWR|O_CREAT|O_LARGEFILE,
> > 0644) = -1 EACCES (Permission denied)
> > 14612 open("/etc/pki/nssdb/cert9.db", O_RDONLY|O_LARGEFILE) = 8
> >
> > I imagine that those attempts at opening read/write are what is
> > triggering selinux. This is the curl library access these files for
> > certificate verification (via mozilla's NSS library). They are sqlite
> > DBs. I am not sure why it is trying to access them read/write,
> > though. It looks like NSS support was added to curl with version
> > 7.19.7. If it is a problem (and it may be), then you will probably
> > have to take it up with curl folks. However, they will probably tell
> > you it is a libnss issue :)
> >
> > Sorry I cannot help more.
> >
> > -B
> >
> > ====================8<=================================================
> >
> > Well - Where does that leave me?
> >
> > Mark
> >
> >
> >
>
> I guess you will have to decide for yourself whether you want to permit
> mlogc to read and write your system certificate files.
>
> Try to reproduce the issue in permissive mode and enclose the AVC
> denials so that we can extend the mlogc module.

Reproducing it in permissive mode will take a little effort (I either
have to wait for an event - not too frequent at the moment - or try to
re-inject a previous event).

In the meantime, here are the two most recent whilst in enforcing mode: